Russia’s Election Hackers Use D.C. Cyber Warfare Conference as Bait

The Russian military hackers behind last year’s election meddling are using an upcoming cyber warfare conference in Washington D.C. as a lure to infect a new crop of victims with malware, security researchers said Sunday, effectively turning a high-level gathering packed with NATO and U.S. military cyber defenders into an opportunity for more attacks.

The new campaign by the hackers known as Fancy Bear and APT28 began in early October, when the hackers began spamming out a flier for next month’s International Conference on Cyber Conflict, or CyCon U.S. Hosted by the U.S. Army and a NATO cyber defense institute, the gathering features speakers like former NSA chief Keith Alexander, Gen. Paul Nakasone, who leads the U.S. Army Cyber Command, and Senator Martin Heinrich, a prominent Kremlin critic on the Senate Intelligence Committee’s investigation into Russian election meddling.

The Russian hackers’ flier for the event is a Microsoft Word document named “Conference_on_Cyber_Conflict.doc”. It contains the logos of the conference organizers and a sponsor, and text copied from the conference website touting the 2017 theme, “The Future of Cyber Conflict.” But Russia isn’t distributing the document to boost attendance. Buried inside is a malicious macro that downloads and installs malware called Seduploader, a Fancy Bear reconnaissance program that lets the hackers take screenshots and gather basic system information to decide if the victim is worth spying on long-term.

Beyond the simple irony of using a U.S. and NATO cyber security confab as bait for a hack attack, the campaign suggests that Fancy Bear is specifically interested in spying on efforts to thwart its hacking of Western targets.

“This conference has a lot of interesting attendees including current serving military members,” said Warren Mercer, technical leader at Cisco’s Talos threat intelligence group, which exposed the attack in a blog post on Sunday. “The attack on these kinds of individuals could yield extremely sensitive information and this is most likely what the actors were hoping for in this instance.”

Security companies and declassified U.S. intelligence findings have placed Fancy Bear as a component of the GRU, Russia’s military intelligence agency. The same hackers breached the Democratic National Committee and the e-mail account of Hillary Clinton campaign chair John Podesta, stealing documents that later showed up on Wikileaks as part of Russia’s active measures campaign, according to the U.S.

Sunday’s report from Cisco comes two days after the Department of Homeland Security issued an alert on another Russia-linked hacking group known as Dragonfly and Energetic Bear that’s been targeting control system operators at U.S. energy firms since May. “DHS has confidence that this campaign is still ongoing,” the Friday alert read, “and threat actors are actively pursuing their ultimate objectives over a long-term campaign.”

Russia’s “ultimate objective” remains a mystery. But read together, the reports paint a picture of a Kremlin hacking effort undeterred by the financial sanctions and embassy closures levied by the U.S. in response to the election meddling. On Thursday, the Russian embassy issued a fresh denial in a public Facebook post addressed to Nikki Haley, the U.S. ambassador to the United Nations. “We have repeatedly stated at all levels: Russia has not interfered in the internal affairs of the United States,” the post read. “Since November 2015 Moscow has suggested holding bilateral consultations on cyber threats, but Washington hasn’t shown readiness for that.”

CyCon U.S takes place November 7 and 8 at the Ronald Reagan building. It’s hosted by the U.S. Army Cyber Institute at the United States Military Academy, and the NATO Cooperative Cyber Defense Center of Excellence based in Estonia, a NATO institute set up in response to a massive denial-of-service attack launched by Russian hackers against Estonia’s Internet in 2007. Neither organization responded to e-mail inquirieson Sunday.

The new attack follows the same tradecraft Fancy Bear used in May when it circulated a poisoned Word document criticizing the U.S. bombing of air bases in Syria. But the May effort was more technically formidable, exploiting two previously-unknown security holes in Microsoft products. In contrast the new campaign will only work against people who enable macro execution in Microsoft Word—known to be a bad idea when opening an email attachment. The security researchers suspect Fancy Bear went with the simpler approach rather than risk exposing their more sophisticated exploits directly to people involved with computer security.

Cisco’s report, though, notes a spike in traffic to the malware’s control server on October 7, which suggests that some targets fell for the new attack even without advanced malware. “Users unfortunately fall victim because they are unaware that Word documents can be damaging,” says Mercer. “If the document appears legitimate a user can be easily tricked.”